diff --git a/pkg/kubelet/dockershim/docker_container.go b/pkg/kubelet/dockershim/docker_container.go
index b8d86f44f5..9f2a153d13 100644
--- a/pkg/kubelet/dockershim/docker_container.go
+++ b/pkg/kubelet/dockershim/docker_container.go
@@ -124,14 +124,6 @@ func (ds *dockerService) CreateContainer(podSandboxID string, config *runtimeapi
 		Binds: generateMountBindings(config.GetMounts()),
 	}
 
-	// Apply cgroupsParent derived from the sandbox config.
-	if lc := sandboxConfig.GetLinux(); lc != nil {
-		// Apply Cgroup options.
-		// TODO: Check if this works with per-pod cgroups.
-		// TODO: we need to pass the cgroup in syntax expected by cgroup driver but shim does not use docker info yet...
-		hc.CgroupParent = lc.GetCgroupParent()
-	}
-
 	// Apply Linux-specific options if applicable.
 	if lc := config.GetLinux(); lc != nil {
 		// Apply resource options.
@@ -154,6 +146,14 @@ func (ds *dockerService) CreateContainer(podSandboxID string, config *runtimeapi
 		applyContainerSecurityContext(lc, podSandboxID, createConfig.Config, hc)
 	}
 
+	// Apply cgroupsParent derived from the sandbox config.
+	if lc := sandboxConfig.GetLinux(); lc != nil {
+		// Apply Cgroup options.
+		// TODO: Check if this works with per-pod cgroups.
+		// TODO: we need to pass the cgroup in syntax expected by cgroup driver but shim does not use docker info yet...
+		hc.CgroupParent = lc.GetCgroupParent()
+	}
+
 	// Set devices for container.
 	devices := make([]dockercontainer.DeviceMapping, len(config.Devices))
 	for i, device := range config.Devices {